IPSec Mobile Clients (2.2.3) - No Connection
-
Hi all,
Wondered if anyone could shed some light on the following? I have setup a Phase1 and 2 IPSec for mobile clients, essentially we have some clients that need to dial in to the L2TP VPN from an office, but the office network hardware doesnt support Site to Site tunnels (which the firewall is already configured with)What I'm seeing in the IPSec log is:
Jan 6 11:01:30 charon: 07[NET] <2> received packet: from 82.132.220.195[49990] to 91.212.182.118[4500] (92 bytes) Jan 6 11:01:30 charon: 07[ENC] <2> invalid ID_V1 payload length, decryption failed? Jan 6 11:01:30 charon: 07[ENC] <2> could not decrypt payloads Jan 6 11:01:30 charon: 07[IKE] <2> message parsing failed Jan 6 11:01:30 charon: 07[IKE] <2> message parsing failed Jan 6 11:01:30 charon: 07[ENC] <2> generating INFORMATIONAL_V1 request 3156362578 [ HASH N(PLD_MAL) ] Jan 6 11:01:30 charon: 07[NET] <2> sending packet: from 91.212.182.118[500] to 82.132.220.195[49989] (76 bytes) Jan 6 11:01:30 charon: 07[IKE] <2> ID_PROT request with message ID 0 processing failed Jan 6 11:01:30 charon: 07[IKE] <2> ID_PROT request with message ID 0 processing failedThis was me trying to connect form an Android based Samsung S5, running Cyanogenmod 12 if it matters..
I have setup the Phase 1/2 according to the following:
https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To#IPsec_Server_Setup
In the "Mobile Clients" tab, I have used the subnet 10.20.30.0 /24
In the Ph2m the Local Network has been set as the interface connected to the infrastructures management network (what we want the dial in users to be able to access, these are on 10.10.26.0 /24).I input the firewalls WAN IP in the phone, the username and pass created in user manager, and the Ph1 PreSharedKey. The phone simply reports "Connection Unsuccessful", with no other useful output.
Any ideas??? More config details can be supplied if needed. Thanks
-
Any ideas on this guys?
If not, any suggestions on better tutorials or setups to use to give a MAc user L2TP/IPSec connection into the firewall? It just has to be dial-in, we cant use a site to site for him.